exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

movilnetCaptcha.txt

movilnetCaptcha.txt
Posted Apr 1, 2006
Authored by Ruben Recabarren, Leandro Leoncini

Movilnet's Web SMS Captcha implementation is weak and it is possible to recognize its patterns 100% of the time.

tags | advisory, web
SHA-256 | 6efa607accbecb5b0c7fb26469c490a0223aff141c4b3fff76e00a9740d8632f

movilnetCaptcha.txt

Change Mirror Download

Quick Summary:
************************************************************************

Product : Movilnet's Web SMS.
Version : In-production versions.
Vendor : Movilnet - http://www.movilnet.com.ve/
Class : Remote
Criticality : High
Operating System(s) : N/A.

Synopsis
************************************************************************

From Cantv's corporative webpage:
"Cantv es la compania privada más grande de Venezuela. Desde su
privatizacion
en 1991, la compania ha experimentado una constante transformacion para
convertirse en una empresa competitiva, con altos niveles de calidad en la
oferta de sus productos y servicios de transmision de voz, datos, acceso a
internet, telefonia celular y directorios de informacion."

Movilnet is an affiliate of Cantv, the largest private telecomunications
company in Venezuela.

Movilnet's Web SMS is a very popular Short Messages System that allows web
surfers to send short text messages directly to Movilnet's mobile phone
subscribers.

Notice
************************************************************************

The very popular Movilnet's Web SMS protects its mobile customers from SMS
bombs, and undesirable spam using the mechanism pioneered by Blum's AI
group
at Carnegie Mellon University that tries to tell humans and computers apart
by using programs known as captchas. Unfortunately, Movilnet's captcha
implementation is a very weak one and it is possible to recognize its
patterns
100% of the time. Others have previously reported breaking "scode" based
captchas,
however no proof of concept source code has ever been released to the
public.

Vendor Status
************************************************************************

SNSecurity has contacted Movilnet, who already knew about the problem
and is currently dealing with the issue.

2/21/2006 Vendor is contacted about the vulnerability.
2/23/2006 Vendor informs the vulnerability was already known and asks
for a 30 day period before publication.
3/17/2006 Vendor agrees to make the advisory public at the date agreed
upon.
3/27/2006 Advisory is made public.

Basic Explanation
************************************************************************

There are several problems with the "scode" based captcha used by Movilnet
on their Web Short Message System. Most notoriously, the captcha's
challenge
space is very reduced. Estimates performed by our research labs indicate
that
only 16 Mb of memory would be required to store pre-calculated data that
would
allow for a complete image to response map.

Additionally, several other design flaws present on Movilnet's captcha
implementation allow for the creation of heuristic algorithms that would
not
require data pre-calculation at all. Most important weaknesses include: only
one font, no color variation, useless perturbation, no rotation and no
deformation.

Proof Of Concept Status
************************************************************************

No proof of Concept will be released until the provider has sorted out the
issue.

Work Around
************************************************************************

No work around is possible to prevent abusers to spam or sms-bomb mobile
customers. If you are sms-bombed you can only turn off your mobile phone
and ask a Movilnet representative to have your entire short text message
queue deleted.

Corrective Measures
************************************************************************

Replace the captcha module for a stronger and more robust implementation.

Credits
************************************************************************

This vulnerability was discovered by Ruben Recabarren and Leandro Leoncini
at SNSecurity's Research Lab.

Disclaimer
----------------------------------------------------------------------
This advisory was released by SNSecurity as a matter of notification to
help administrators protect their systems and to warn mobile customers
against the described vulnerability. Exploit source code is never released
in our advisories but can be obtained under contract. Contact our sales
department at info (at) snsecurity (dot) com for further information on how
to obtain proof of concept code.

----------------------------------------------------------------------
SNSecurity. http://www.snsecurity.com
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close